Daily Data Breaches

Many times after we run a story, Security Fix readers write in to tell us about related incidents. This morning I received an e-mail from a Virginia woman who was recently notified by her mortgage company that it had somehow lost track of a backup tape containing the names, account information, payment history and Social Security numbers of more than 2 million customers.

The company -- Troy, Mich.-based ABN-AMRO Mortgage -- said the tape was lost while being transported by a DHL courier en route to credit reporting company Experian.

I hadn't heard of this breach, but a Google News search turned up about a dozen stories from last week, a few from the bigger news sources like Reuters and MSNBC, but most from smaller, local news organizations. It struck me that had this happened a year ago, we probably would have seen quite a bit more coverage.

But take a quick look at the data breaches so far this year over at PrivacyRights.org and it becomes clear that our society is becoming inured to this type of news. According to that site, this year alone data on nearly 54 million Americans were exposed in nearly 100 incidents of hacking, lost laptops and backup tapes, and inside jobs. And those are just the incidents that have been disclosed.

It is worth mentioning that the woman who brought this latest breach to my attention said she tried to check her credit with TransUnion's TrueCredit.com site but found it was unavailable at the time. The site appears to be up as of this writing, but strangely enough I experienced a similar problem while trying to visit it recently.

I hope the credit reporting agencies are dedicating sufficient resources to making sure these sites remain available. The woman I spoke with was quite upset at the news from her mortgage company, and was even more alarmed when she couldn't get to the site that the letter she received instructed her to visit.

Having recently donated a car to a charity,I was astonded to have them tell me
that I could not get a receipt for it unless I provided them with my Social Security Number (required of them by the IRS) because it sold for more than $500.
That sets me up for Identity Theft. In my
Army job, we are directed to tightly protect SSNs at all times. The IRS needs to upgrade its policy and NOT place us at risk via loosely managed organizations.

Having recently donated a car to a charity,I was astonded to have them tell me
that I could not get a receipt for it unless I provided them with my Social Security Number (required of them by the IRS) because it sold for more than $500.
That sets me up for Identity Theft. In my
Army job, we are directed to tightly protect SSNs at all times. The IRS needs to upgrade its policy and NOT place us at risk via loosely managed organizations.

It's worth mentioning that in at least one case of backup tapes "lost in transit", the tapes were not in fact lost, but stolen by electronically re-routing a UPS shipment directly to the thieves. The link I just posted (somehow the page posted while I was still editing it--curious) has more details.

Larry A. Smith> In my Army job, we are directed to tightly protect SSNs at all times.

The problem here is that SSNs are being misused. What is an SSN? It's your account number with the Social Security Administration, and is used by the IRS to track your contributions so that you can receive proper disbursement of social security funds when you retire, are disabled, etc. And that's all it is: an account number. So why are we expected to keep it secret? Because numerous irresponsible organizations have decided that instead of tackling the classic security problem of key distribution, they would use our SSNs, or a segment thereof, as passwords. This is utterly wrong, and shouldn't be tolerated.

The way for us not to tolerate it, of course, is for everyone to publish his or her SSN everyplace possible--put it in your .signature, post it on blogs, take out an ad in the newspaper, write it on a bumper sticker, etc. If everyone published SSN, mother's maiden name, and any other lame excuse for a password that lazy corporate idiots have decided to use to protect access to our livelihoods and credit histories, the problem would go away because the banks and corporate office drones would have to get off their fat asses and actually come up with a system for us to agree on and communicate real passwords (or other authenticators).

ABN AMRO's offer of one free year credit monitoring via TransUnion is just not enough. There are 3 main credit bureaus in the U.S. and they are only offering the service of one. Not all creditors report to the same bureaus. Mortgage customers are not protected. If a true theft occurred, what will prevent the thief from waiting one year and then acting upon the personal information contained in the tape?? ABN AMRO can't guarantee that a security breach did NOT take place. This is a SERIOUS flaw in the system. Protect yourselves!

I spoke with a UPS courier. When data tapes are picked up and delivered there is no indvidual accounting, just one tracking number for all the tapes in a batch of numerous boxes. A tape could go missing before it's picked up, during transit, or after it's delivered. His personal opinion was that missing data tapes are inside jobs and he didn't mean inside UPS. This may explain why no one knows exactly where these tapes go astray. There is no individual tracking. Let's face it, no company is charged with keeping our information safe. If data is stolen, a crime was committed, the vendor is not responsible. If a kid steals your car and causes an accident, you are not responsible.

The ABN Amro and Citigroup tapes were NOT backup tapes. They were tapes containing credit information which the CRA was going to enter into its system.

Bank of America, on the other hand, has had actual backup tapes lost.

The distinction is somewhat important, in that it may be more feasible to integrate additional security measures into the "bulk data transfer" processes, especially since these present what for thieves is the juiciest data in concentrated form.

"A missing backup tape holding valuable data on 2 million mortgage customers has been found, but with the original airbill missing. Though it's unlikely that customer data was compromised, the company has urged affected customers to monitor their credit activity.

"Reuters news agency reports delivery firm DHL International returned the missing tape on Tuesday to ABN AMRO Mortgage Group Inc., a part of Chicago-based LaSalle Bank Corp. The tape disappeared after it was picked up by a DHL carrier on Nov. 18 at ABN AMRO's Chicago data processing center. The tape, containing mortgage account information and Social Security numbers, was headed to a credit bureau in Texas."